Hello everyone again, in today’s post we will be going over Timelapse, AD Machine from HTB which was very interesting for me!

1)Starting off with nmap scan to see what are we dealing with:

nmap -sC -sV -A -T4 <TARGET_IP>

2)From here I decided to start Kerberos user brute force as port 88 is open by using Kerbrute:

kerbrute userenum -d <DOMAIN> /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc <DC_IP>

2.1)While that is running, let’s enumerate other services. The most interesting one from here would be SMB (445), I checked if I can log in anonymously, and I can. From here we can see 2 interesting Directories:

2.2)HelpDesk is Directory is not that interesting, it contains a couple of Word Documents about LAPS from Microsoft, I will keep that in back of my mind just in case we will need it for later

2.3)Dev directory is much more interesting as it contains .zip file, which i downloaded to my Kali machine right away, but it’s password protected:

2.4)We can crack the password by following these steps:

2.4.1)Extract the hash by using zip2john tool

2.4.2)Now before we start cracking the hash, we need to edit it a little bit: Make sure to delete parts of the hash that we don’t need for cracking(I marked them in red)

2.4.3)Final hash should look like this:

2.4.4)Now we can start cracking the hash, usually I use bare metal to crack hashes for better performance, but since I am using MacOS I wasn’t able to use hashcat with module 17200 for some reason, so instead I used my Kali machine:

hashcat -m 17200 zip.hash rockyou.txt

2.4.5)Cool, now we have a password! Upon unzipping the zip file, I found .pfx certificate. I quickly ran a string command to check for what username certificate is for:

2.4.6)From here I thought the intended path is to conduct Pass the Certificate Attack, but it’s not. Nevertheless, I will leave here what I tried so far if somebody is interested:

2.4.6.1)I used certipy with auth command first

2.4.6.2)However Certipy doesn’t support .pfx certificates that are password protected so we have to export it, but in order to do so we need a password for the certificate, the command is:

certipy cert
-export -pfx <TARGET_PFX> -password "<CERT_PASSWORD>" -out "unprotected. pfx"

2.4.6.3)Okay, let’ see how we can crack .pfx certificate’s password.After some investigation I found really cool tool, crackpkcs12: https://github.com/crackpkcs12/crackpkcs12

2.4.6.4)Now, we can use certipy to export this certificate as an unprotected one:

2.4.6.5) Finally we can run:

certipy auth
-pfx unprotected.pfx -dc-ip 10.10.11.152 -username 'legacy' -domain 'timelapse.htb' 

But this failed :/

2.4.7)At this point I learned that we pass the certificate with evil-winrm as well, but we also need to do some additional steps, so according to this article we will need to extract from .pfx certificate public and private key in PEM format. Since we cracked the certificate’s password we can do that:

2.4.7.1)Extract the public key:

openssl pkcs12 -in <CERTIFICATE.pfx> -clcerts -nokeys out publicCert.pem

2.4.7.2)Extract the private key:

openssl pkcs12 -in <CERTIFICATE.pfx> -nocerts -out priv-key.pem -nodes

##When prompted for password enter Certificate’s password ##

2.4.8)Finally, let’s use evil-winrm as:

3)We got user flag.txt, cool! Let’s see what we can do in order to escalate our privilieges to the domain admin.

3.1)Typically I would use compromised user credentials to enumerate AD further with bloodhound, but since I don’t have any at the moment, we have to change the approach. Let’s transfer SharpHound to the remote host to do enumeration for us, and then transfer result back to our machine that we can upload to BloodHound:

Transfer with certutil failed, but that is fine, we can use upload command from evil-winrm itself:

Juse execute:

upload <path_to_SharpHound_locally>

3.2)Command to execute SharpHound to collect data from Remote Host:

\SharpHound.exe —CollectionMethods All --ZipFileName output.zip

3.3)Another problem now: collected data from SharpHound didn’t work on my currently installed version of BloodHound (it wouldn’t load), so I decided to install the newest version on my Mac Machine as I had some issues installing on my Kali. Essentially I did so via Docker, more information on how to do so can be found here: https://github.com/SpecterOps/BloodHound

Use evil-winrm Download command to download zip file produced by SharpHound:

Then upload it to the BloodHound, and with new install everything works fine!

3.4)At first glance I didn’t see the intended privilege escalation path, as legacyy user is pretty basic, nothing interesting there. But after executing BloodHound’s query “Find Shortest Path to Domain Admin or to High Value Targets” I don’t remember exactly I saw svc_deploy Service account which looked pretty interesting:

3.5)Let’s enumerate it more closely:

3.6)Now it’s obvious svc_deploy can read LAPS Password (remember the Word documents that we found at the very beginning). This means that we have to find a way to svc_deploy’s credentials.

3.7)Now, I struggled here for a while. Remote host didn’t allow WinPeas and everything had to be done manually. At first I thoguht the password was hidden in the Registry but no. Then I spent a lot of time enumerating the system in order to find something interesting…

3.8)After a lot of Googling and Research I found out that I didn’t check Powershell History, which is a must. Very nice article about it is:https://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4

3.9)Navigate to: C:\Users\legacyy\.AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

4)Finally, svc_deploy’s password. With it we can read LAPS Password which is also the Local Administrator password as well. For that I will use PyLAPS, which can be found here: https://github.com/p0dalirius/pyLAPS —> Dont’t be like me and spend a lot of time troubleshooting because I used double quotes, rather than using single quotes… :

python pyLAPS.py -action get -d "timelapse.htb" -u "svC_deploy" -p 'E3R$Q62^12p7PLIC%KWaxuaV' --dc-ip 10.10.11.152

###Same can be done using Netexec ###

4.1)Great, we have a local administrator password now, let’s get a shell as admin. I first tried to do so by using psexec but that failed. I was able to get it via wmiexec:

4.2)Suprinsigly root.txt is not in Administrator’s Desktop, rather in TRX’s Desktop, TRX is another Domain Admin… GG!

Lessons Learned

1)This was an amazing machine and I had to learn a lot as well to troubleshoot a lot xD. The first thing that I learned is about cracking Password Protected Zip files with help of zip2john, then some hash modifying and finally cracking with hashcat, you can do John as well, but I like Hashcat better.

2) The next lesson is about cracking .pfx certificate password. I found great tool for that crackpkcl2

3) The next thing that I learned is how to authenicate via evilw-winrm with .pxf certificate by extracting Public and Private key in PEM format with openssl command.

4)I also learned about the Pass the Certificate attack, despite it failed here, it’s good to know it.

5)I learned the importance of checking Powershell History as it can have some juicy information for further exploitation

6)And finally I learned about ReadLAPSPassword, the tools to use in order to read it, and also what it is.